Crypto Basics

“In order to understand security in cyberspace, you need to understand cryptography. You don’t have to understand the math, but you have to understand its ramifications” – Bruce Schneier

Following my previous articles here and here about Public Key Infrastructure (PKI) let’s reinforce and review the crypto stuff that makes its foundations.

Confidentiality ensures that a message can be read only by the intended recipient. Confidentiality is achieved through the use of encryption. Encryption is the mathematical transformation of plain text into ciphertext using an algorithm and a key. There are two types of encryption systems:

Symmetric Encryption: Also called shared-key encryption or secret-key cryptography, A symmetric encryption algorithm uses a single key that both the sender and recipient possess. The same key is used to encrypt and decrypt data and is shared by both parties. If Alice wants to send Bob a secret document they agree on a cryptosystem and a common key. Alice encrypts the secret document (plaintext) using the agreed algorithm and the secret key. This will produce a encrypted document (ciphertext) that she will sent to Bob. Bob will decrypt the document using the same algorithm and same key and reads it. Example of symmetric encryption algorithm are DES, 3DES, RC2 or AES. The following picture illustrates this process.

Let’s see how we could encrypt (enc) a plaintext document (-in) using a symmetric algorithm (-des3) using a key (-k) to produce a ciphertext document (-out). This will be done on a Linux command line with OpenSSL.

$openssl enc -des3 -k secretkey -in plaintext.doc -out ciphertext.bin

Now that we have our encrypted the plaintext document lets dump the contents of both files in hexadecimal and ASCII (hexdump -C) both files to see the plaintext and the gibberish.

We can also encrypt files on Windows system by taking advantage of the EFS functionality. To do this operation we will need to first generate a new certificate and key (cipher /K). Then we could encrypt (/E) a plaintext document using a symmetric algorithm. This will be done on a Windows command line with cipher /E. We can then display information about the encrypted with (/C).

Asymmetric encryption: Unlike the symmetric encryption that uses the same key, asymmetric encryption uses multiple keys. There are two mathematically related keys. It’s a key pair consisting of a public key and a private key which are used for the encryption and decryption process. If the public key is used for encryption, the associated private key is used for decryption – this is the encryption process. If the private key is used for encryption, the associated public key is used for decryption – this is the signing process. The private key should be kept secret and the public key can be freely distributed. The public key which can be an attribute of a digital certificate is usually published in a public directory service such as LDAP or Active Directory. You can also combine public-key encryption with hash algorithms to produce a digital signature. If Alice wants to send Bob a secret document they agree on a public-key cryptosystem. Bob then sends Alice his public key. Alice encrypts the secret document using Bob’s public key and sends it to Bob. Bob will decrypt the document using the same algorithm and his private key. Example of asymmetric encryption algorithms are RSA, DSA, ElGamal, and ECC. Below is an illustration of this process using a public directory service:

Let’s see how Bob could create a RSA key pair (genrsa) and save it to a file (bob-privatekey.pem). Then Bob will export his public key (-pubout) and save it a file (bob-publickey.pem).

Alice can now use Bob public key to send her a encrypted version of the plain text document. Alice will use the RSA algorithm (rsautil -encrypt) with Bob public key (-pubin bob-publickey) to encrypt plaintext (-in plaintext.doc) and save the ciphertext to a file (-out ciphertext.bin).

Integrity assures the recipient that a message has not been altered. Integrity is achieved through the use of hashing functions. Hashing is the mathematical result of taking the plain text (arbitrary length data) as input and producing a fixed-length output. The result is called message digest or fingerprint. Passing the same plain text through a hash function always produces the same result. If a single character is changed in the plaintext document, the resulting message digest will be different. Hash algorithms like MD5 and SHA1 are commonly used. Hash functions are used in digital signatures, since they can be efficiently used for detecting message tampering. If Alice wants to send Bob a document and they want to ensure the document has not been changed. Alice and Bob agres on the hashing algorithm. Alice produces a one-way hash of the document. Alice sends the document and the hash to Bob. Bob produces the one-way hash of the document using the same hash function. If the hash match the hash generated then Bob can attest its integrity.

Let’s see how we could produce the plaintext document message digest using a hashing algorithm (sha1). This will be done on a Linux command line with OpenSSL and/or sha1sum.

Authentication and Non-Repudiation assures the recipient of a message that the originator participated in the transaction and is who he or she claims to be. Authentication and non-repudiation is achieved through a combination of asymmetric encryption and hashing functions. Although encryption can keep data secret and protect against alterations, a digital signature proves the senders identity (authentication) and ensures the participation of the signer cannot be denied (non-repudiation). If Alice wants to digital sign a document and sent it to Bob they both agree on digital signature algorithm. Alice produces a one-way hash of the document. Alice encrypts the hash with her private key, thereby signing the document. Alice sends the document and the signed hash to Bob. Bob produces the a one-way hash of the document using the same hash function. Then using the digital signature algorithm, decrypts the signed hash with Alice’s public key. If the signed hash match the hash generated then Bob can attest the signature is valid (authentication and non-repudiation). The following picture illustrates this process.

Lets demonstrate how we could digital sign a message using OpenSSL. To sign plaintext.doc you need to calculate its hash (dgst -sha1) and then encrypt (-sign) that hash using your private key (privatekey.pem) and save the result to file (alice-signature.bin).

Then Alice sends the signature and the plaintext to Bob. Alice public key is made available to Bob (e.g Ldap, ActiveDirectory, etc). Bob then can verify the signature of a message attesting its proof of origin and integrity.

Hopefully, with this article you now have a slight better understanding on how cryptography protects users by providing functionality for the encryption of data and authentication of other users. Symmetric-key encryption is a excellent method for quickly and securely encrypting data. However, the condition that sender and receiver must exchange a secret key before data can be exchanged is its weakness and limitation. Combining symmetric algorithms to encrypt the data with public-key algorithms to exchange the secret key produces a solution that is both fast and scalable.

It was also described with illustrations how someone can achieve confidentiality trough the use of symmetric and/or asymmetric encryption systems. How hashing functions are used to achieve integrity. Moreover how to combine encryption systems and hashing functions to produce digital signatures and achieve authentication and non-repudiation. With the use of the most famous characters – Alice and Bob – in modern cryptography examples were complemented with the usage of simple OpenSSL and Microsoft EFS commands.

Cryptography is a colossal, fascinating and mysterious world. If you like cryptography and you want to better understand the techniques and concepts behind it then a indispensable reference is the Applied Cryptography: Protocols, Algorithms and Source Code in C by Bruce Schneier. For a brilliant review of the history behind cryptography than David Kahn’s The Code Breakers is essential. If you would like to read about the intriguing stories of espionage behind the history breakthroughs of codes and code breaking then Simon Singh The Code Book is a must.

For a more hands-on approach the CrypTool – project started by Prof. Bernhard Esslinger – is the most complete e-learning tool available to raise awareness and increase the interest in cryptography. CrypTool v1 was originally designed as a business application for information security training but is now an important open-source Windows project in the field of cryptology. Successors are CrypTool v2 (for Windows .NET) and JCrypTool (for Unix, Windows and MacOS). As a complement to these offline CrypTool programs there is the MysteryTwister C3 (MTC3) international cryptography competition. This website offers four levels of cipher challenges from simple challenges consisting in breaking a Caesar cipher or solving the “Greetings from Russia with love” to complex crypto problems like RSA factoring — most of them embedded in interesting stories.